Plugin Examples
Basic Example
This plugin illustrates the basic concepts of Tenable Nessus Network Monitor plugin writing:
id=79873
nid=11414
hs_sport=143
name=IMAP Banner
description=An IMAP server is running on this port. Its banner is :\n %L
risk=NONE
match=OK
match=IMAP
match=server ready
regex=^.*OK.*IMAP.*server ready
This example uses the following fields:
id
- A unique number assigned to this plugin.nid
- The Tenable Nessus ID of the corresponding Tenable Nessus NASL script.hs_sport
- The source port to key on if High Performance mode is enabled.name
- The name of the plugin.description
- A description of the problem or service.match
- The set of match patterns that must be found in the payload of the packet before the regular expression can be evaluated.regex
- The regular expression to apply to the packet payload.
Tip: The description contains the %L macro. If this plugin evaluates successfully, then the string pattern in the payload that matched the regular expression is stored in %L and prints out at report time.
Complex Example
id=79004
nid=10382
cve=CVE-2000-0318
bid=1144
hs_sport=143
name=Atrium Mercur Mailserver
description=The remote imap server is Mercur Mailserver 3.20. There is a flaw in this server (present up to version 3.20.02) which allow any authenticated user to read any file on the system. This includes other user mailboxes, or any system file. Warning : this flaw has not been actually checked but was deduced from the server banner
solution=There was no solution ready when this vulnerability was written; Please contact the vendor for updates that address this vulnerability.
risk=HIGH
match=>* OK
match=MERCUR
match=IMAP4-Server
regex=^\* OK.*MERCUR IMAP4-Server.*v3\.20\..*$
Tip: The first match pattern makes use of the > symbol. The > symbol indicates that the subsequent string must be at the beginning of the packet payload. Use of the > symbol is encouraged where possible as it is an inexpensive operation.
Case-Insensitive Example
There is a tool called SmartDownLoader that uploads and downloads large files. Unfortunately, versions 0.1 through 1.3 use the capitalization SmartDownloader, versions 1.4 through 2.7 use smartdownloader and versions 2.8 through current use SMARTdownloader. Searching for the various combinations of this text with purely the regex
command would cause us to use a statement that looks like this:
regex=[sS][mM][aA][rR][tT][dD]own[lL]oader
However, with the regexi
command, the search string is much less complex and less prone to creating an error:
regexi=smartdownloader
By using regexi
, we can more quickly match on all three versions as well as future permutations of the string smartdownloader
. In a case such as this, regexi
is the logical choice.
id=79910
dependency=1442
hs_sport=6789
name=SmartDownLoader Detection
description=The remote host is running SmartDownLoader, a tool for performing rudimentary uploads and downloads of large binary files.
solution=Ensure that this application is in keeping with Corporate policies and guidelines
risk=MEDIUM
family=PeerToPeer
match=ownloader
regexi=smartdownloader
Above is a complete example Tenable Nessus Network Monitor plugin using the regexi
keyword. The use of the match
keyword searching for the string ownloader is not a typo. By searching for network sessions that have this string in them first, Tenable Nessus Network Monitor can avoid invoking the expensive regexi
search algorithm unless the ownloader pattern is present.